On Wed, 04 Feb 2015 21:09:40 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: jython > Version: 2.5.2-1 > Severity: important > Tags: security upstream > > Hi > > Several issues were mentioned in Red Hat Bugzilla at [0] referencing > the issue which creates executables class files with wrong permissions > with CVE-2013-2027. > > At least it seems present in the Debian package that the package > writes to /usr/share. In the SuSE bugzilla[1] there are some links to > fixes applied in SuSE[2]. > > Could you please double-check the jython package in Debian? > > [0] https://bugzilla.redhat.com/show_bug.cgi?id=947949 > [1] https://bugzilla.novell.com/show_bug.cgi?id=916224 > [2] https://build.opensuse.org/request/show/284056 >
I had a look at this vulnerability but I couldn't reproduce the attack vector described at https://bugzilla.redhat.com/show_bug.cgi?id=947949 The file is still read-only for everyone and group owners. The patches at https://build.opensuse.org/request/show/284056 https://bugzilla.redhat.com/show_bug.cgi?id=947949 cannot be applied as is because we use a newer Jython version. According to upstream http://bugs.jython.org/issue2044 this issue appears to be resolved in version 2.7 but they give no details whether this is fixed in the 2.5 series. I suggest to keep the bug open until 2.7 is packaged but I don't think this is an issue for Debian. More feedback is welcome. Markus
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
